Unfortunately I'm unable to verify the patch as I don't have permissions.
Clicking on the patch renders, "ERROR: You have no access to bug #68799"
Setting the pointer to NULL when the xp_field_type is created should be enough to fix the issue. Free will only be called over the pointer if the pointer is not NULL.
--- php-5.4.36/ext/exif/exif.c 2014-12-16 12:41:23.000000000 -0600
+++ exif.c 2015-01-10 22:00:57.137928420 -0600
@@ -2985,6 +2985,7 @@
case TAG_XP_KEYWORDS:
case TAG_XP_SUBJECT:
tmp_xp = (xp_field_type*)safe_erealloc(ImageInfo->xp_fields.list, (ImageInfo->xp_fields.count+1), sizeof(xp_field_type), 0);
+ tmp_xp.value = NULL;
ImageInfo->sections_found |= FOUND_WINXP;
ImageInfo->xp_fields.list = tmp_xp;
ImageInfo->xp_fields.count++;

I see no reason why this patch shouldn't work fine.
I would set value = NULL immediately after the memory was allocated on line 2987, but that's just a matter of preference. This patch should be equivalent.
I'm not overly familiar with PHP's testing system. Unfortunately, passing the test does _not_ mean the bug doesn't exist. It means either the bug does not exist, or the pointer was allocated over null bytes, which is not an uncommon occurrence. However, it's maybe the best test you're going to get.